Category: Regulations

If this bill becomes law, companies would have to explain why they want to collect, use and store your personal data.

The bill would forbid companies from collecting data that isn’t necessary to deliver or improve a service, or to make a transaction. If data is transferred to a third party, that party would have to sign a contract agreeing to the terms of the bill.

Last year, the Federal Trade Commission called for a “Do Not Track” list that would prevent Internet companies from following users around the Web, and all browsers would be required to offer this feature. The bill from Kerry and McCain ignores the FTC’s advice, leaving the issue of “Do Not Track” in the hands of individual Web browsers, all of which tackle the problem differently. If you discover that a company was covertly gathering your personal information and sending it to who-knows-where, you wouldn’t be allowed to take the case to court. The FTC and state attorneys general would be the only entities that could take action against a company for privacy violations.

Consumer groups that take a hard line on user privacy don’t think the Kerry-McCain bill goes far enough. … And they don’t like how the Commerce Department, which primarily promotes the interests of businesses, can make exceptions for businesses that come up with alternative privacy plans. … The consumer groups also claim that Facebook and other “social media marketers” get special treatment because they can continue to gather data without sufficient safeguards.

http://www.csoonline.com/article/679529/kerry-mccain-privacy-bill-what-you-need-to-know?source=CSONLE_nlt_update_2011-04-14

While a large company can shell out hundreds of thousands of dollars for assessment and compliance solutions, that sort of money is not in the budget of most smaller firms. Yet, even small companies may need to comply with at least one — and sometimes more — security regulations that govern the data that they store on their servers.

Medical firms need to abide by the Health Insurance Portability and Accountability Act (HIPAA). Small banks have to comply with the Gramm-Leach-Bliley Act (GLBA). And any firm holding credit-card data needs to be compliant with the Payment Card Industry (PCI) Data Security Standards.

For small and midsize businesses, perusing the PCI standards is a good first step, Corman says, because most businesses accept credit cards and because many other standards use the PCI requirements as a starting point. The first is initial design and implementation of systems to collect the data and create the reports needed to pass future audits. Because many smaller businesses do not have dedicated IT staff — never mind IT security staff — the company usually has to pay a security consultant or assessor to do this work.

The second major cost is the ongoing effort needed to collect the data necessary for compliance validation. “One client kept track of the time spent on compliance and found that, in year one, they spent 60 percent of staff time on collecting log data for reports,” he says.

Finally, SMBs must pay an auditor to verify that they are complying with regulations. Many companies look to minimize their compliance costs and go for the checkboxes, without really paying much attention to real security — even though fixing their security problems can mean avoiding a costly breach. Companies that minimize the number of systems that handle data can significantly reduce the cost of an audit as well, Corman says.

“SMBs might want one-stop shopping to save money, but it is a healthy practice to make sure that you are not getting your auditing from companies the sell products,” he says.

http://www.darkreading.com/smb-security/security/management/showArticle.jhtml?articleID=226700099

In comparison, the U.K.’s disclosure guidelines are less specific than the proposed Irish code of practice, Malcolm said. However, the U.K.’s Information Commissioner does expect organizations to report serious data breaches, he said.

In April, the U.K. Information Commissioner for the first time gained the power to fine organizations for violating the Data Protection Act. The European Union has a data breach disclosure law on the books, but it only applies to telecommunication companies.

http://news.idg.no/cw/art.cfm?id=21BB489B-1A64-6A71-CE1333F9221EF072

Smith says updating both laws will help provide greater legal certainty related to cloud computing.

While lawmakers, industry, public interest groups and others debate how to update ECPA, there has been little discussion of also updating the CFAA. In an interview following his speech to the Gov 2.0 Expo this week, Smith noted one area that an update of CFAA could address is the ability of cloud service providers to sue those who may attack data stored by an indivdual in the cloud operated by a third party.

During a Senate Judiciary hearing late last year on legal issues related to cyber attacks, at least one witness also cited the need to update the CFAA.

“This includes the right of private response to computer penetrations, such as cyber counterattacks, by our government or private individuals or companies in retaliation for cyber intrusions.”

http://techdailydose.nationaljournal.com/2010/05/microsoft-official-calls-for-u.php

In fact, with no penalties for failure to notify security breaches, the provisions may do more harm than good since Canadians will expect to receive notifications in the event of a breach, but companies may err on the side of not notifying (given the very high threshold discussed below) safe in the knowledge that there are no financial penalties for failing to do so.

The bill changes the definition of business contact information (which is not treated as personal information) by expressly including business email addresses. This overturns a successful complaint I filed years ago against the (now defunct) Ottawa Renegades over their use of my email address. The change further confirms that PIPEDA cannot be used in spam cases, but C-28 should provide far more effective tools.

The bill establishes a new prospective business transaction exception that permits use and disclosure of personal information in various business transactions. The provision creates some limits on the use of the information, but is designed to address concerns from the business community that PIPEDA could create barriers to mergers and acquisitions as well as other transactions.

The bill creates a new work product exception for the collection, use, and disclosure for information produced by an individual in the course of the employment.

The bill purports to clarify “lawful authority” (ie. disclosure to lawful authority without a court order) but as David Fraser notes it really doesn’t clarify much of anything.

Rather, it encourages disclosures without court oversight by confirming that businesses are not required to verify the validity of the lawful authority. The organization makes its own determination of whether there is a real risk having regard to the sensitivity of the information and the probability that the personal information has been, is being, or will be misused.

By comparison, the California law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person.

In other words, the only threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm (other states merely require harm, not significant harm).

Security breach disclosure was widely recognized as a major hole in the Canadian law framework, yet this proposal is a major disappointment that falls far short of striking the right balance between protecting Canadians, encouraging appropriate safeguards of personal information, and guarding against overwhelming Canadians with too many notices.

http://www.michaelgeist.ca/content/view/5059/125/

Multinational companies can use binding corporate rules to send data to parts of the company in different countries, and companies can also use model contract clauses produced by the European Commission to bind companies outside of the EU to its high data protection standards.

The Düsseldorfer Kreis has said, though, that there are worries about how thorough US companies are being when they claim they have complied with the Safe Harbor deal, and has told German companies that they must make their own checks on US firms. “Any certification older than seven years old is not valid.” The group also said that companies must check how US companies tell the subjects of the data being transferred that it is processing their data and ensure that privacy regulators can check that this has been done.

A large number of organisations failed to comply with Principle 7 — Enforcement and Dispute Resolution, as they did not identify an independent dispute resolution process for consumers. Many of these false claims have continued for several years,” said the study, which examined compliance with just one of the scheme’s seven Safe Harbor Framework Principles. The study was not the first to find problems in the implementation of the Safe Harbor programme.

“Overall the study found that the problems identified in previous reviews of the Safe Harbor have not been rectified, and that the number of false claims made by organisations represents a significant privacy risk to consumers,” it said.

Louise Townsend of Pinsent Masons, the law firm behind OUT-LAW.COM, said that companies should be making basic checks on any firm they hire to process data for them even if they are part of the Safe Harbor programme.

http://www.theregister.co.uk/2010/05/25/eu_us_privacy/